Global bans "seem" to be new. I've read many stories of shell scripts randomly permanently banning android developers for life from their platform, but those stories always involved being banned from the play console and so forth, not being banned from search / maps / gmail / youtube / etc.
It seems to be news that if you tell people in public youtube comments that you vote for Trump, or whatever it is they're enforcing today, google will fight back by disabling your thermostat or whatever.
I used to work at Google on stuff related to account bans.
Global bans are not new. They were standard a decade ago. The reason is due to the structure of the various spam/abuse industries that plague any service that allows user generated content. What happens is this:
1. Accounts get harder to create as signup security improves
2. Black/grey-market account sellers come in and start creating accounts that get bought by spammers/fraudsters.
3. Spammer/fraudster abuses an account on service X, it gets locked for service X. They sell the accounts _back_ to the seller, who then resells the account once again with a note that it can't be used for YouTube or whatever.
4. Different spammer/fraudster buys the account, abuses it on a different service, goto step 3.
Their systems have some notion of why accounts were suspended or blocked, and the tech does support individual service level blocks. But they weren't used much back then because the pattern of a user being bad on one service and then being bad on every other service was too strong.
The problem of false positives was well known a long time ago, and the noise:FP rate is very good - if a script accidentally disabled good users with even quite low volume the people in question would be on Twitter or HN within hours making articles like this one, which did get noticed. So false account blocks were pretty rare.
Back then and still now, I think Google need to make it easier to handle this situation. Strong end-user support in these situations is hard because genuine fraudsters will happily file support tickets and socially engineer support to get their accounts back - I even witnessed auto-generated pleas to support once. They were quite convincing individually, only when you saw a few thousand of them with re-arranged sentences all begging for help with identical language was it clear they were spam. However they could still make it a lot easier, and in particular, could improve Google Takeout to be easier to use (e.g. automatically uploading the backups to various non-Google services).
Why are accounts suspected of TOS violations not simply put into read-only mode instead of shutting out users completely? If the identity/authorisation of the user is not in doubt it makes zero sense to not let people download their data before closing the account.
This simple change would fix all the consumer related horror stories with zero cost to Google. In fact it would become cheaper for Google because people would stop pleading with them.
Also, why is there no one-off paid support option that covers the cost of a human checking evidence and is expensive enough to deter mass abuse by fraudsters? Why is there no option to provide a photo ID upfront so that there is always a last resort to check whether a user is who they say they are?
A lot of abuse is things like posted comments. The locks are retroactive and "account disabled" is a signal to each service to hide content generated by that user.
Read only mode would make sense for content that's truly private, or which can be made private. Nothing stops them allowing Google Takeout for disabled accounts, heck maybe they do these days.
Paid support:
1. the optics of false positives being held to ransom to get their account back is terrible. Giving the money back isn't always easy (credit cards support this sometimes but many users don't have them). And this is made worse by:
2. many accounts aren't easily verifiable. People imagine that every Google/FB user puts their entire life on these accounts. A very small number do. For those, expensive ad-hoc processes could maybe increase the account verification rate by a little bit. But most accounts that get disabled are accounts with fake names, that use exclusively one service, etc. It's extraordinarily difficult to come up with reliable ways to verify the identity of the holder of accounts that required no identity to sign up.
> Back then and still now, I think Google need to make it easier to handle this situation. Strong end-user support in these situations is hard because genuine fraudsters will happily file support tickets and socially engineer support to get their accounts back - I even witnessed auto-generated pleas to support once.
How much are accounts currently worth on the market? It seems that making the recovery procedure more expensive than the worth of the account should resolve that issue. At the same time legitimate users are probably willing to invest some money in order to recover their account.
For example offer a $20 option to send a registered letter to an address provided by the user. Then Google can check if: 1) The name on the credit card matches the name on the account, 2) a given address hasn't been used too often, 3) the identity check done by the postal service (checking if the recipient actually has a given name) succeeded.
This won't be a perfect solution and there are definitely edge cases for which it won't work (in countries without registered mail, if someone doesn't have a credit card, etc.). But it should be able to cover the majority of cases where legitimate accounts have been locked.
Most users don't have a credit card - they're not all in the USA. A big chunk don't even have bank accounts at all.
However that's basically what phone verification does. In case of suspicion someone has to provide their mobile phone number. It's texted with a code and a counter increased. The same number can't be used over and over. Unlike credit cards, the assumption of universal mobile phone access (amongst people who have internet access) is very strong. It works very well. In this case, the account was shut down without this being possible, which is only used normally for very clear cut cases. Don't assume the full story is public.
Then what you do is set up some sort of monetary charge, to verify that the person you are dealing with is real. Someone willing to pay for support is highly likely to be an actual customer, not a fraudster; and you can even have their local bank or notary to verify their identity, if you are worried about identity theft.
This is a problem that is largely solved at government scale, which is what Google is now, and there's no reason not to take advantage of existing infrastructure to do so.
The vast majority of Google accounts have no real identity associated with them. Also, this doesn't help if an account was NOT a false positive. You're assuming this guy is truly innocent of all problems, but from past experience, unfortunately I can say that sometimes when obviously non-spammy accounts go poof overnight and nobody is willing to explain why, it's because it's related to a criminal investigation.
I'm confused. The goal of my proposal was that someone who was wrongly flagged (a false positive) could identify themselves as such by being willing to put up a (cash) bounty, or identify themselves with a financial/government institution that is set to handle such things at scale. Someone who is committing fraud, or trying to steal anonymously, or is involved in other criminal activities, is extremely unlikely to do such things. Legitimate people, however would have a route out of this kafkaesque maze. That system could even be automated, and it would work better than what's going on now. At a certain point, some problems just cannot be solved with just code.
Google+ banned accounts globally if they discovered a fake name. Fun way to roll out a facebook killer. Kind of killed Google+ but that's a story for another day.
Global bans "seem" to be new. I've read many stories of shell scripts randomly permanently banning android developers for life from their platform, but those stories always involved being banned from the play console and so forth, not being banned from search / maps / gmail / youtube / etc.
It seems to be news that if you tell people in public youtube comments that you vote for Trump, or whatever it is they're enforcing today, google will fight back by disabling your thermostat or whatever.